In recent years, a system called a cloud service, which provides software functions via the Internet, has received a lot of attention. Recently, in increasing cases, a plurality of cloud services are cooperated to provide a new system.
A technique called “OAuth” is available as a mechanism for securely and easily implementing access control between systems which provide services upon cooperating cloud services (refer to “The OAuth 2.0 Authorization Protocol draft-ietf-oauth-v2-25”, E. Hammer, Oct. 9, 2012).
OAuth is a technique for transferring an access authority of a user of a cooperating system to a cooperation asking system while limiting to the access authority. With this technique, the cooperation asking system can access the cooperating system using the authority of that user, and can provide services using those provided by the cooperating system to users. When authentication mechanisms of cooperating systems include the access authority transfer configuration of systems based on OAuth, the cooperation between systems can be securely implemented without storing authentication information associated with the security such as user IDs and passwords of the cooperating system in the cooperation asking system. OAuth sets a valid period for authorization information required to permit accesses from the cooperation asking system, and also sets a mechanism for re-issuing authorization information after the valid period of the authorization information has expired and a mechanism for invalidating the authorization information and re-issuance of the authorization information.
On the other hand, as another authorization technique different from OAuth, a method of setting a valid period for use permission is known. In this method, a method of extending the valid period of use permission in each system, and a method of permitting use again while obviating the need for verification within a given period even after the valid period has expired are conventionally known (refer to Japanese Patent Laid Open No. 2011-519087).
However, the existing OAuth configuration for re-issuing authorization information after the valid period of the authorization information has expired suffers a problem in terms of security. More specifically, when authentication information of a client and update authorization information have leaked, a malicious user may illicitly re-issue authorization information. When authentication information of a client, which is managed in a server system, is to be changed so as to cope with leakage of the authentication information of a client and the update authorization information, such change seriously influences the operation of the server system.